includeAllNetworks

Hi All, I have a NEDNSProxyProvider System Extension and my logs are full of sandbox violations, all like: error 2021-09-21 10:42:30.557390 -0400 sandboxd com.apple.sandbox.reporting violation System Policy: com.myCompany.mac(640) deny(1) system-privilege 10006 Violation: deny(1) system-privilege 10006 Process: com.myCompany.mac [640] Path: /Library/SystemExtensions/4375ED6E-69A9-4897-8B39-4252AD9843AD/com.myCompany.macos.netext.dnsproxy.systemextension/Contents/MacOS/com.myCompany.macos.netext.dnsproxy Load Address: 0x1028a8000 Identifier: com.myCompany.macos.netext.dnsproxy Version: 78 (2.0.0) Code Type: arm64 (Native) Parent Process: launchd [1] Responsible: /Library/SystemExtensions/4375ED6E-69A9-4897-8B39-4252AD9843AD/com.myCompany.macos.netext.dnsproxy.systemextension/Contents/MacOS/com.myCompany.macos.netext.dnsproxy User ID: 0 Date/Time: 2021-09-21 10:42:30.522 EDT OS Version: macOS 11.6 (20G165) Report Version: 8 MetaData: {uid:0,summary:deny(1) system-privilege 10006,errno:1,hardware:J293,operation:

Recently I tested my VPN application on iOS 15 beta 8 / Xcode 13 beta 5. It looks like that the precedence is IPSec VPN > iCloud private relay > NEPacketTunnelProvider VPN. When the iCloud private relay is switched on if use IPSec VPN(I think it's using the IPSec interface) the browser's network traffic is still being routed to the IPSec tunnel. But for the implementation with NEPacetTunnelProvider VPN(UTUN interface) the browser's traffic is being routed to the private relay. I don't see any doc describing this but it seems this is the design. And another question is the IncludeAllNetworks setting for the VPN. If set the IncludeAllNetworks to be 1 then the device global traffic would be routed to the VPN, but the excludedRoutes settings in the VPN would be unavailable, no routes would be excluded. Is the above understanding correct?

Hi, I'm new in this area. I have several questions to ask. I'm implementing a vpn client by using NETunnelProviderProtocol(). After I start the tunnel successfully, I can't get any packets from self.packetFlow.readPacketObjects. Is the NETunnelProviderProtocol able to gather the packet from whole device ?(just work like a normal vpn client) Is it safe to turn includeAllNetworks() to true? thanks

As described in a few threads here, it is not possible to set IncludeAllNetworks to true on NEVPNProtocolIKEv2 if there are any Enterprise VPNs with NEVPNProtocolIKEv2 enabled, even if they are not used at that moment. The problem I faced, is that system does not have any other VPN configs listed in System Preferences - Network, but connection still can't be established with error: Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession due to Enterprise VPN session NESMVPNSession. Is there any other place in the system where VPN configs can be found?

I've been looking at adding includeAllNetworks to our Network Extension VPN (Packet Tunnel Provider). We do some authentication in the app and then start the VPN. All connections in the VPN extension are done by IP address, so there is no name resolution required. The connection setup in the VPN extension involves some HTTP GETS & responses. I'm seeing a couple of problems. It looks like includeAllNetworks has to be set on the VPN configuration when it's defined. Is that correct? When I try setting it at other points, either in the NEPacketTunnelProvider protocolConfiguration or in the NEVPNManager protocol configuration it has no effect. The protocol itself appears to be inaccessible. When I set it in the NEVPNManager's protocolConfiguration before I start the connection it shows includeAllNetworks as set, but when I start the connection the nesessionmanager debug output shows that it's not set in the protocol and it's not in effect. Is there any way to set this on-the-fly?